Distorting Biometric Images to Enhance Security of Databases

Brian Bergstein On Aug 26, 2005
Source: Associated Press

BOSTON -- A trick reminiscent of a fun-house mirror might improve
the security and privacy of the access-control technology that examines
fingerprints, facial features or other personal characteristics.

In such systems, known as biometrics, a computer generally reduces an
image to a template of "minutia points" - notable features such as a
loop in a fingerprint or the position of an eye. Those points are
converted to a numeric string by a mathematical algorithm, then stored
for later analysis.

But those mathematical templates, if stolen, can be dangerous.

So researchers have developed ways to alter images in a defined,
repeatable way, so that hackers who managed to crack a biometric
database would be able to steal only the distortion - not the true,
original face or fingerprint.

Charles Palmer, head security researcher for International Business
Machines Corp., believes biometric fraud will become more sophisticated
- and problematic - as border crossings, passports, financial networks,
personal computers and even checkout counters increasingly use the
technology.

Worldwide biometric industry revenue is expected to soar from $1.5
billion (euro1.2 billion) this year to $5.3 billion (euro4.3 billion) in
2010, with government and law enforcement accounting for almost half of
the total, according to the International Biometric Group, a consulting
firm.

"Let's face it: When it becomes worth hacking, it will be (done),"
Palmer said. "The threat right now might not be massive, but I do
believe the threat will be large very soon."

Although it is considered impossible to take an image's minutia points
and re-create the original, it is possible to concoct an image that
shares those points and use it to trick a biometric system.

IBM's solution is to make biometric readers distort the image before it
is scanned. For example, a face might be made to appear lumpy, or
squished up around the eyes. Then a template of the distorted image
would be stored.

When someone returned to the scanner, the real-life image would be
transformed according to the same patterns, creating a match with the
tweaked image in the database.

The original image isn't stored anywhere. And even if hackers could
obtain the altered biometric, it would be of limited use as long as
individual organizations maintained their own formulas for transforming
images before scanning.

Therein lies the real advantage of the method. While a standard
biometric can't be torn up and reissued like a credit card or password -
since it's based on unchanging aspects of a person's physical appearance
- distortion makes that possible. A bank or an office building that had
its biometrics compromised could register new ones simply by changing
the way it transforms images.

That's why IBM calls this "cancelable biometrics."

The method has been discussed in research circles for several years, and
at least one biometrics vendor, iris-scanner Iridian Technologies Inc.,
says it offers a cancelable system. Iridian alters the
computer-generated template rather than the original image, but the
effect is the same.

"You can't take a biometric out of one application and replay it in
another," said Frank Fitzsimmons, Iridian's chief executive.

Perhaps the biggest benefit, experts contend, could be to improve public
perceptions about what happens to biometric data behind the scenes as
the technology becomes more widespread.

If an organization can check only its version of distorted biometrics,
that could reduce fears - some realistic, some paranoid - that
government or big companies might maintain a vast database of biometric
data for intrusive tracking or marketing purposes.

The system "could be understood as being more privacy-protected by the
normal, everyday consumer," said Philip Youn, a consultant with the
International Biometric Group.

Even so, Youn said the distortion approach might not necessarily offer
significantly better privacy than systems in which biometric data are
not stored in vulnerable, centralized databases but rather on
chip-embedded "smart" cards that people carry with them. In that
scenario, the biometric reader determines simply that the person with
the card is the person originally granted the card.

Other security experts said the cancelable method is a smart way to add
a layer of protection to a technology that has some security holes
despite being hailed as a huge improvement over more commonly used
security measures.

"This is probably a nice thing to have, but it doesn't resolve all the
issues," said James Wayman, a biometrics expert at San Jose State
University.

After all, Wayman said, biometrics are not secret - they're based on
physical characteristics that we carry around in plain sight. There's no
guarantee someone couldn't lift your real-life fingerprint or take a
picture of your face, then figure out a way to present those images to a
biometric system.